package com.github.binarywang.wxpay.v3.auth;

import com.github.binarywang.wxpay.config.WxPayHttpProxy;
import com.github.binarywang.wxpay.util.HttpProxyUtils;
import com.github.binarywang.wxpay.v3.Credentials;
import com.github.binarywang.wxpay.v3.WxPayV3HttpClientBuilder;
import com.github.binarywang.wxpay.v3.util.AesUtils;
import com.github.binarywang.wxpay.v3.util.PemUtils;
import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.locks.ReentrantLock;
import me.chanjar.weixin.common.error.WxRuntimeException;
import me.chanjar.weixin.common.util.json.GsonParser;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/github/binarywang/wxpay/v3/auth/AutoUpdateCertificatesVerifier.class */
public class AutoUpdateCertificatesVerifier implements Verifier {
    private static final Logger log = LoggerFactory.getLogger(AutoUpdateCertificatesVerifier.class);
    private static final String CERT_DOWNLOAD_PATH = "/v3/certificates";
    private volatile Instant instant;
    private final int minutesInterval;
    private CertificatesVerifier verifier;
    private final Credentials credentials;
    private final byte[] apiV3Key;
    private String payBaseUrl;
    private final ReentrantLock lock;
    private WxPayHttpProxy wxPayHttpProxy;

    /* loaded from: input_file:com/github/binarywang/wxpay/v3/auth/AutoUpdateCertificatesVerifier$TimeInterval.class */
    public enum TimeInterval {
        OneHour(60),
        SixHours(360),
        TwelveHours(720);

        private final int minutes;

        public int getMinutes() {
            return this.minutes;
        }

        TimeInterval(int i) {
            this.minutes = i;
        }
    }

    public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] bArr, String str) {
        this(credentials, bArr, TimeInterval.OneHour.getMinutes(), str);
    }

    public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] bArr, int i, String str) {
        this(credentials, bArr, i, str, null);
    }

    public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] bArr, int i, String str, WxPayHttpProxy wxPayHttpProxy) {
        this.lock = new ReentrantLock();
        this.credentials = credentials;
        this.apiV3Key = bArr;
        this.minutesInterval = i;
        this.payBaseUrl = str;
        this.wxPayHttpProxy = wxPayHttpProxy;
        try {
            autoUpdateCert();
            this.instant = Instant.now();
        } catch (IOException | GeneralSecurityException e) {
            throw new WxRuntimeException(e);
        }
    }

    @Override // com.github.binarywang.wxpay.v3.auth.Verifier
    public boolean verify(String str, byte[] bArr, String str2) {
        checkAndAutoUpdateCert();
        return this.verifier.verify(str, bArr, str2);
    }

    private void checkAndAutoUpdateCert() {
        if (this.instant == null || this.instant.plus(this.minutesInterval, (TemporalUnit) ChronoUnit.MINUTES).compareTo(Instant.now()) <= 0) {
            try {
            } catch (IOException | GeneralSecurityException e) {
                log.warn("Auto update cert failed, exception = {}", e);
            } finally {
                this.lock.unlock();
            }
            if (this.lock.tryLock()) {
                autoUpdateCert();
                this.instant = Instant.now();
            }
        }
    }

    private void autoUpdateCert() throws IOException, GeneralSecurityException {
        WxPayV3HttpClientBuilder withValidator = WxPayV3HttpClientBuilder.create().withCredentials(this.credentials).withValidator(this.verifier == null ? closeableHttpResponse -> {
            return true;
        } : new WxPayValidator(this.verifier));
        HttpProxyUtils.initHttpProxy(withValidator, this.wxPayHttpProxy);
        customHttpClientBuilder(withValidator);
        CloseableHttpClient build = withValidator.build();
        HttpGet httpGet = new HttpGet(this.payBaseUrl + CERT_DOWNLOAD_PATH);
        httpGet.addHeader("Accept", "application/json");
        CloseableHttpResponse execute = build.execute(httpGet);
        int statusCode = execute.getStatusLine().getStatusCode();
        String entityUtils = EntityUtils.toString(execute.getEntity());
        if (statusCode != 200) {
            log.warn("Auto update cert failed, statusCode = {},body = {}", Integer.valueOf(statusCode), entityUtils);
            throw new WxRuntimeException(getErrorMsg(entityUtils));
        }
        List<X509Certificate> deserializeToCerts = deserializeToCerts(this.apiV3Key, entityUtils);
        if (deserializeToCerts.isEmpty()) {
            throw new WxRuntimeException("Cert list is empty");
        }
        this.verifier = new CertificatesVerifier(deserializeToCerts);
    }

    public void customHttpClientBuilder(WxPayV3HttpClientBuilder wxPayV3HttpClientBuilder) {
    }

    private List<X509Certificate> deserializeToCerts(byte[] bArr, String str) throws GeneralSecurityException, IOException {
        AesUtils aesUtils = new AesUtils(bArr);
        JsonArray asJsonArray = GsonParser.parse(str).getAsJsonArray("data");
        if (asJsonArray == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        int size = asJsonArray.size();
        for (int i = 0; i < size; i++) {
            JsonObject asJsonObject = asJsonArray.get(i).getAsJsonObject("encrypt_certificate");
            X509Certificate loadCertificate = PemUtils.loadCertificate(new ByteArrayInputStream(aesUtils.decryptToString(asJsonObject.get("associated_data").toString().replaceAll("\"", "").getBytes(StandardCharsets.UTF_8), asJsonObject.get("nonce").toString().replaceAll("\"", "").getBytes(StandardCharsets.UTF_8), asJsonObject.get("ciphertext").toString().replaceAll("\"", "")).getBytes(StandardCharsets.UTF_8)));
            try {
                loadCertificate.checkValidity();
                arrayList.add(loadCertificate);
            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            }
        }
        return arrayList;
    }

    @Override // com.github.binarywang.wxpay.v3.auth.Verifier
    public X509Certificate getValidCertificate() {
        checkAndAutoUpdateCert();
        return this.verifier.getValidCertificate();
    }

    private String getErrorMsg(String str) {
        return (String) Optional.ofNullable(GsonParser.parse(str).getAsJsonObject()).map(jsonObject -> {
            return jsonObject.get("message");
        }).map((v0) -> {
            return v0.getAsString();
        }).orElse("update cert failed");
    }
}
